[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
abarth at webkit.org
abarth at webkit.org
Thu Apr 8 00:59:25 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit 907caeb71e980089a8cce308d013aec182ab54aa
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sun Jan 10 08:10:00 2010 +0000
2010-01-09 Adam Barth <abarth at webkit.org>
Reviewed by Darin Adler.
Unify origin sandbox flag with m_noAccess in SecurityOrigin
https://bugs.webkit.org/show_bug.cgi?id=32372
It turns out the SandboxOrigin bit is slightly different than the
unique origin concept because the sandbox bit is inherited by iframes.
These concepts are separate in the spec, so I think it's ok to keep
them separate in the implementation as well.
No new tests because there is no behavior change.
* dom/Document.cpp:
(WebCore::Document::cookie):
(WebCore::Document::setCookie):
* loader/CrossOriginAccessControl.cpp:
(WebCore::passesAccessControlCheck):
* page/SecurityOrigin.cpp:
(WebCore::schemesWithUniqueOrigins):
(WebCore::SecurityOrigin::SecurityOrigin):
(WebCore::SecurityOrigin::canAccess):
(WebCore::SecurityOrigin::canRequest):
(WebCore::SecurityOrigin::taintsCanvas):
(WebCore::SecurityOrigin::setSandboxFlags):
(WebCore::SecurityOrigin::toString):
(WebCore::SecurityOrigin::registerURLSchemeAsNoAccess):
(WebCore::SecurityOrigin::shouldTreatURLSchemeAsNoAccess):
* page/SecurityOrigin.h:
(WebCore::SecurityOrigin::canAccessDatabase):
(WebCore::SecurityOrigin::canAccessStorage):
(WebCore::SecurityOrigin::canAccessCookies):
(WebCore::SecurityOrigin::isUnique):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53049 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 19a3950..af51d5d 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -2,6 +2,41 @@
Reviewed by Darin Adler.
+ Unify origin sandbox flag with m_noAccess in SecurityOrigin
+ https://bugs.webkit.org/show_bug.cgi?id=32372
+
+ It turns out the SandboxOrigin bit is slightly different than the
+ unique origin concept because the sandbox bit is inherited by iframes.
+ These concepts are separate in the spec, so I think it's ok to keep
+ them separate in the implementation as well.
+
+ No new tests because there is no behavior change.
+
+ * dom/Document.cpp:
+ (WebCore::Document::cookie):
+ (WebCore::Document::setCookie):
+ * loader/CrossOriginAccessControl.cpp:
+ (WebCore::passesAccessControlCheck):
+ * page/SecurityOrigin.cpp:
+ (WebCore::schemesWithUniqueOrigins):
+ (WebCore::SecurityOrigin::SecurityOrigin):
+ (WebCore::SecurityOrigin::canAccess):
+ (WebCore::SecurityOrigin::canRequest):
+ (WebCore::SecurityOrigin::taintsCanvas):
+ (WebCore::SecurityOrigin::setSandboxFlags):
+ (WebCore::SecurityOrigin::toString):
+ (WebCore::SecurityOrigin::registerURLSchemeAsNoAccess):
+ (WebCore::SecurityOrigin::shouldTreatURLSchemeAsNoAccess):
+ * page/SecurityOrigin.h:
+ (WebCore::SecurityOrigin::canAccessDatabase):
+ (WebCore::SecurityOrigin::canAccessStorage):
+ (WebCore::SecurityOrigin::canAccessCookies):
+ (WebCore::SecurityOrigin::isUnique):
+
+2010-01-09 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Darin Adler.
+
ScriptController::isEnabled needs to be renamed
https://bugs.webkit.org/show_bug.cgi?id=32063
diff --git a/WebCore/dom/Document.cpp b/WebCore/dom/Document.cpp
index a616e21..fe24a57 100644
--- a/WebCore/dom/Document.cpp
+++ b/WebCore/dom/Document.cpp
@@ -3068,7 +3068,7 @@ String Document::cookie(ExceptionCode& ec) const
// INVALID_STATE_ERR exception on getting if the Document has no
// browsing context.
- if (securityOrigin()->isSandboxed(SandboxOrigin)) {
+ if (!securityOrigin()->canAccessCookies()) {
ec = SECURITY_ERR;
return String();
}
@@ -3089,7 +3089,7 @@ void Document::setCookie(const String& value, ExceptionCode& ec)
// INVALID_STATE_ERR exception on setting if the Document has no
// browsing context.
- if (securityOrigin()->isSandboxed(SandboxOrigin)) {
+ if (!securityOrigin()->canAccessCookies()) {
ec = SECURITY_ERR;
return;
}
diff --git a/WebCore/loader/CrossOriginAccessControl.cpp b/WebCore/loader/CrossOriginAccessControl.cpp
index 7a21280..01596e2 100644
--- a/WebCore/loader/CrossOriginAccessControl.cpp
+++ b/WebCore/loader/CrossOriginAccessControl.cpp
@@ -100,8 +100,7 @@ bool passesAccessControlCheck(const ResourceResponse& response, bool includeCred
if (accessControlOriginString == "*" && !includeCredentials)
return true;
- // A sandboxed frame has a unique origin (for same-origin purposes).
- if (securityOrigin->isSandboxed(SandboxOrigin))
+ if (securityOrigin->isUnique())
return false;
RefPtr<SecurityOrigin> accessControlOrigin = SecurityOrigin::createFromString(accessControlOriginString);
diff --git a/WebCore/page/SecurityOrigin.cpp b/WebCore/page/SecurityOrigin.cpp
index f53dbf1..cdc80bc 100644
--- a/WebCore/page/SecurityOrigin.cpp
+++ b/WebCore/page/SecurityOrigin.cpp
@@ -65,22 +65,24 @@ static URLSchemesMap& localSchemes()
return localSchemes;
}
-static URLSchemesMap& noAccessSchemes()
+static URLSchemesMap& schemesWithUniqueOrigins()
{
- DEFINE_STATIC_LOCAL(URLSchemesMap, noAccessSchemes, ());
+ DEFINE_STATIC_LOCAL(URLSchemesMap, schemesWithUniqueOrigins, ());
- if (noAccessSchemes.isEmpty())
- noAccessSchemes.add("data");
+ // This is a willful violation of HTML5.
+ // See https://bugs.webkit.org/show_bug.cgi?id=11885
+ if (schemesWithUniqueOrigins.isEmpty())
+ schemesWithUniqueOrigins.add("data");
- return noAccessSchemes;
+ return schemesWithUniqueOrigins;
}
SecurityOrigin::SecurityOrigin(const KURL& url)
- : m_protocol(url.protocol().isNull() ? "" : url.protocol().lower())
+ : m_sandboxFlags(SandboxNone)
+ , m_protocol(url.protocol().isNull() ? "" : url.protocol().lower())
, m_host(url.host().isNull() ? "" : url.host().lower())
, m_port(url.port())
- , m_sandboxFlags(SandboxNone)
- , m_noAccess(false)
+ , m_isUnique(false)
, m_universalAccess(false)
, m_domainWasSetInDOM(false)
{
@@ -90,7 +92,11 @@ SecurityOrigin::SecurityOrigin(const KURL& url)
// Some URLs are not allowed access to anything other than themselves.
if (shouldTreatURLSchemeAsNoAccess(m_protocol))
- m_noAccess = true;
+ m_isUnique = true;
+
+ // If this ASSERT becomes false in the future, please consider the impact
+ // of m_sandoxFlags on m_isUnique.
+ ASSERT(m_sandboxFlags == SandboxNone);
// document.domain starts as m_host, but can be set by the DOM.
m_domain = m_host;
@@ -100,7 +106,7 @@ SecurityOrigin::SecurityOrigin(const KURL& url)
if (m_canLoadLocalResources) {
// Directories should never be readable.
if (!url.hasPath() || url.path().endsWith("/"))
- m_noAccess = true;
+ m_isUnique = true;
}
if (isDefaultPortForProtocol(m_port, m_protocol))
@@ -108,12 +114,12 @@ SecurityOrigin::SecurityOrigin(const KURL& url)
}
SecurityOrigin::SecurityOrigin(const SecurityOrigin* other)
- : m_protocol(other->m_protocol.threadsafeCopy())
+ : m_sandboxFlags(other->m_sandboxFlags)
+ , m_protocol(other->m_protocol.threadsafeCopy())
, m_host(other->m_host.threadsafeCopy())
, m_domain(other->m_domain.threadsafeCopy())
, m_port(other->m_port)
- , m_sandboxFlags(other->m_sandboxFlags)
- , m_noAccess(other->m_noAccess)
+ , m_isUnique(other->m_isUnique)
, m_universalAccess(other->m_universalAccess)
, m_domainWasSetInDOM(other->m_domainWasSetInDOM)
, m_canLoadLocalResources(other->m_canLoadLocalResources)
@@ -153,15 +159,15 @@ bool SecurityOrigin::canAccess(const SecurityOrigin* other) const
if (m_universalAccess)
return true;
- if (m_noAccess || other->m_noAccess || isSandboxed(SandboxOrigin) || other->isSandboxed(SandboxOrigin))
+ if (isUnique() || other->isUnique())
return false;
// Here are two cases where we should permit access:
//
- // 1) Neither document has set document.domain. In this case, we insist
+ // 1) Neither document has set document.domain. In this case, we insist
// that the scheme, host, and port of the URLs match.
//
- // 2) Both documents have set document.domain. In this case, we insist
+ // 2) Both documents have set document.domain. In this case, we insist
// that the documents have set document.domain to the same value and
// that the scheme of the URLs match.
//
@@ -194,11 +200,11 @@ bool SecurityOrigin::canRequest(const KURL& url) const
if (m_universalAccess)
return true;
- if (m_noAccess || isSandboxed(SandboxOrigin))
+ if (isUnique())
return false;
RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
- if (targetOrigin->m_noAccess)
+ if (targetOrigin->isUnique())
return false;
// We call isSameSchemeHostPort here instead of canAccess because we want
@@ -221,11 +227,12 @@ bool SecurityOrigin::taintsCanvas(const KURL& url) const
if (canRequest(url))
return false;
- // This method exists because we treat data URLs as noAccess, contrary
- // to the current (9/19/2009) draft of the HTML5 specification. We still
- // want to let folks paint data URLs onto untainted canvases, so we special
- // case data URLs below. If we change to match HTML5 w.r.t. data URL
- // security, then we can remove this method in favor of !canRequest.
+ // This function exists because we treat data URLs as having a unique origin,
+ // contrary to the current (9/19/2009) draft of the HTML5 specification.
+ // We still want to let folks paint data URLs onto untainted canvases, so
+ // we special case data URLs below. If we change to match HTML5 w.r.t.
+ // data URL security, then we can remove this function in favor of
+ // !canRequest.
if (url.protocolIs("data"))
return false;
@@ -248,8 +255,8 @@ bool SecurityOrigin::canLoad(const KURL& url, const String& referrer, Document*
void SecurityOrigin::grantLoadLocalResources()
{
- // This method exists only to support backwards compatibility with older
- // versions of WebKit. Granting privileges to some, but not all, documents
+ // This function exists only to support backwards compatibility with older
+ // versions of WebKit. Granting privileges to some, but not all, documents
// in a SecurityOrigin is a security hazard because the documents without
// the privilege can obtain the privilege by injecting script into the
// documents that have been granted the privilege.
@@ -262,6 +269,22 @@ void SecurityOrigin::grantUniversalAccess()
m_universalAccess = true;
}
+void SecurityOrigin::setSandboxFlags(SandboxFlags flags)
+{
+ m_sandboxFlags = flags;
+ if (isSandboxed(SandboxOrigin))
+ m_isUnique = true;
+
+ // Although you might think that we should set m_isUnique to false when
+ // flags doesn't contain SandboxOrigin, that's not actually the right
+ // behavior. We're supposed to freeze the origin of a document when it
+ // is created, even if the sandbox flags change after that point in time.
+ //
+ // FIXME: Our current behavior here is buggy because we need to
+ // distinguish between the sandbox flags at creation and the
+ // sandbox flags that might come about later.
+}
+
bool SecurityOrigin::isLocal() const
{
return shouldTreatURLSchemeAsLocal(m_protocol);
@@ -282,7 +305,7 @@ String SecurityOrigin::toString() const
if (isEmpty())
return "null";
- if (m_noAccess || isSandboxed(SandboxOrigin))
+ if (isUnique())
return "null";
if (m_protocol == "file")
@@ -440,12 +463,12 @@ bool SecurityOrigin::shouldTreatURLSchemeAsLocal(const String& scheme)
void SecurityOrigin::registerURLSchemeAsNoAccess(const String& scheme)
{
- noAccessSchemes().add(scheme);
+ schemesWithUniqueOrigins().add(scheme);
}
bool SecurityOrigin::shouldTreatURLSchemeAsNoAccess(const String& scheme)
{
- return noAccessSchemes().contains(scheme);
+ return schemesWithUniqueOrigins().contains(scheme);
}
bool SecurityOrigin::shouldHideReferrer(const KURL& url, const String& referrer)
diff --git a/WebCore/page/SecurityOrigin.h b/WebCore/page/SecurityOrigin.h
index 6673ac1..4a6eb3c 100644
--- a/WebCore/page/SecurityOrigin.h
+++ b/WebCore/page/SecurityOrigin.h
@@ -52,13 +52,13 @@ public:
static PassRefPtr<SecurityOrigin> create(const KURL&);
static PassRefPtr<SecurityOrigin> createEmpty();
- // Create a deep copy of this SecurityOrigin. This method is useful
+ // Create a deep copy of this SecurityOrigin. This method is useful
// when marshalling a SecurityOrigin to another thread.
PassRefPtr<SecurityOrigin> threadsafeCopy();
- // Set the domain property of this security origin to newDomain. This
+ // Set the domain property of this security origin to newDomain. This
// function does not check whether newDomain is a suffix of the current
- // domain. The caller is responsible for validating newDomain.
+ // domain. The caller is responsible for validating newDomain.
void setDomainFromDOM(const String& newDomain);
bool domainWasSetInDOM() const { return m_domainWasSetInDOM; }
@@ -68,18 +68,18 @@ public:
unsigned short port() const { return m_port; }
// Returns true if this SecurityOrigin can script objects in the given
- // SecurityOrigin. For example, call this function before allowing
+ // SecurityOrigin. For example, call this function before allowing
// script from one security origin to read or write objects from
// another SecurityOrigin.
bool canAccess(const SecurityOrigin*) const;
// Returns true if this SecurityOrigin can read content retrieved from
- // the given URL. For example, call this function before issuing
+ // the given URL. For example, call this function before issuing
// XMLHttpRequests.
bool canRequest(const KURL&) const;
// Returns true if drawing an image from this URL taints a canvas from
- // this security origin. For example, call this function before
+ // this security origin. For example, call this function before
// drawing an image onto an HTML canvas element with the drawImage API.
bool taintsCanvas(const KURL&) const;
@@ -108,15 +108,15 @@ public:
// Explicitly grant the ability to access very other SecurityOrigin.
//
- // WARNING: This is an extremely powerful ability. Use with caution!
+ // WARNING: This is an extremely powerful ability. Use with caution!
void grantUniversalAccess();
- // Sandboxing status as determined by the frame.
- void setSandboxFlags(SandboxFlags flags) { m_sandboxFlags = flags; }
+ void setSandboxFlags(SandboxFlags);
bool isSandboxed(SandboxFlags mask) const { return m_sandboxFlags & mask; }
- bool canAccessDatabase() const { return !isSandboxed(SandboxOrigin); }
- bool canAccessStorage() const { return !isSandboxed(SandboxOrigin); }
+ bool canAccessDatabase() const { return !isUnique(); }
+ bool canAccessStorage() const { return !isUnique(); }
+ bool canAccessCookies() const { return !isUnique(); }
bool isSecureTransitionTo(const KURL&) const;
@@ -128,17 +128,24 @@ public:
// The empty SecurityOrigin is the least privileged SecurityOrigin.
bool isEmpty() const;
- // Convert this SecurityOrigin into a string. The string
+ // The origin is a globally unique identifier assigned when the Document is
+ // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin
+ //
+ // There's a subtle difference between a unique origin and an origin that
+ // has the SandboxOrigin flag set. The latter implies the former, and, in
+ // addition, the SandboxOrigin flag is inherited by iframes.
+ bool isUnique() const { return m_isUnique; }
+
+ // Convert this SecurityOrigin into a string. The string
// representation of a SecurityOrigin is similar to a URL, except it
- // lacks a path component. The string representation does not encode
+ // lacks a path component. The string representation does not encode
// the value of the SecurityOrigin's domain property.
//
- // When using the string value, it's important to remember that it
- // might be "null". This happens when this SecurityOrigin has
- // noAccess to other SecurityOrigins. For example, this SecurityOrigin
- // might have come from a data URL, the SecurityOrigin might be empty,
- // or we might have explicitly decided that we
- // shouldTreatURLSchemeAsNoAccess.
+ // When using the string value, it's important to remember that it might be
+ // "null". This happens when this SecurityOrigin is unique. For example,
+ // this SecurityOrigin might have come from a sandboxed iframe, the
+ // SecurityOrigin might be empty, or we might have explicitly decided that
+ // we shouldTreatURLSchemeAsNoAccess.
String toString() const;
// Serialize the security origin to a string that could be used as part of
@@ -146,7 +153,7 @@ public:
String databaseIdentifier() const;
// This method checks for equality between SecurityOrigins, not whether
- // one origin can access another. It is used for hash table keys.
+ // one origin can access another. It is used for hash table keys.
// For access checks, use canAccess().
// FIXME: If this method is really only useful for hash table keys, it
// should be refactored into SecurityOriginHash.
@@ -183,12 +190,12 @@ private:
explicit SecurityOrigin(const KURL&);
explicit SecurityOrigin(const SecurityOrigin*);
+ SandboxFlags m_sandboxFlags;
String m_protocol;
String m_host;
String m_domain;
unsigned short m_port;
- SandboxFlags m_sandboxFlags;
- bool m_noAccess;
+ bool m_isUnique;
bool m_universalAccess;
bool m_domainWasSetInDOM;
bool m_canLoadLocalResources;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list